CA/B Forum Ballot 187 made CAA checking Mandatory for CAs, a revision of Ballot 125 which had CAs document their CAA policies.
CA/B Forum Ballot 204, adopted 4 months after, forbade CAs from delegating the performance of 3.2.2.4 and 3.2.2.5 (DNS and IP validation).
@CBonnell raised on the management list that this suggests that CAs are allowed to delegate part, or all, of the CAA validation to third parties, as this is located within section 3.2.2.8, which Ballot 204 does not speak to.
Ballot 187 is structured in a way to describe when a CA may choose to not check CAA (i.e. if doing as part of a precert/final cert issuance and the precert was checked and logged, if issuing from a technically constrained sub CA, or if an affiliate of the CA, notwithstanding draft ballot SC26). However, it doesn't explicitly address the delegation to a third-party (e.g. a non-technically constrained sub-CA) and how that performance is measured.
Given the critical security importance of 3.2.2.8, which was the reason and rationale for not allowing 3.2.2.4/3.2.2.5 to be delegated, it seems important to clarify whether or not 3.2.2.8 can or should be delegated to third parties.
barrini
commented
1 month ago
CA/B Forum Ballot 187 made CAA checking Mandatory for CAs, a revision of Ballot 125 which had CAs document their CAA policies.
CA/B Forum Ballot 204, adopted 4 months after, forbade CAs from delegating the performance of 3.2.2.4 and 3.2.2.5 (DNS and IP validation).
@CBonnell raised on the management list that this suggests that CAs are allowed to delegate part, or all, of the CAA validation to third parties, as this is located within section 3.2.2.8, which Ballot 204 does not speak to.
Ballot 187 is structured in a way to describe when a CA may choose to not check CAA (i.e. if doing as part of a precert/final cert issuance and the precert was checked and logged, if issuing from a technically constrained sub CA, or if an affiliate of the CA, notwithstanding draft ballot SC26). However, it doesn't explicitly address the delegation to a third-party (e.g. a non-technically constrained sub-CA) and how that performance is measured.
Given the critical security importance of 3.2.2.8, which was the reason and rationale for not allowing 3.2.2.4/3.2.2.5 to be delegated, it seems important to clarify whether or not 3.2.2.8 can or should be delegated to third parties.